Step‑by‑Step Analysis and Exploitation of a QQ Phishing Site

This article is not meant to show off but to educate readers about practical penetration tools and methods by dissecting a real QQ phishing site that steals user credentials.

The phishing page is accessed via a shortened link (uvu.cc/ixMJ) that redirects to http://mfspfgp.top. The login form accepts any QQ number and password, and the POST request is sent to http://mfspfgp.top/lollove.php with the parameters name and pass.

Using Python, the author forged a browser User‑Agent, generated random QQ numbers and passwords, and employed the requests library to repeatedly POST dummy data (about 10 000 requests) to the target, aiming to flood the site with garbage entries.

Reconnaissance steps followed: the domain was pinged to obtain the IP address 103.98.114.75, WHOIS lookup revealed a Hong Kong server, and associated QQ email and phone number were identified.

Port scanning with nmap showed many open ports, for example:

PORT STATE SERVICE
1/tcp open tcpmux
3/tcp open compressnet
4/tcp open unknown
6/tcp open unknown
7/tcp open echo
9/tcp open discard
... (truncated) ...
65389/tcp open unknown

A w3af scan uncovered a sensitive link http://103.27.176.227/OGeU3BGx.php, which displayed an error page containing the clue “Powered by wdcp”. Visiting the WDCP demo site led to the backend address http://103.27.176.227:8080.

Further testing showed the password‑change page always uses the username admin and lacks a captcha, suggesting brute‑force is possible, though sqlmap found no SQL injection points.

In conclusion, while DDoS attacks could temporarily take down such phishing sites, the operators can quickly spin up new copies. The purpose of the article is to teach beginners common penetration tools so they can recognize and defend against phishing threats.